nmap

Basic usage

Base syntax

nmap [scan type] [options] {targets}

Target specification

IPv4 address: 192.168.1.1

IPv6 address: AABB:CCDD:FF%eth0

Host name: www.target.com

IP address range: 192.168.0-255.0-255

CIDR block: 192.168.0.0/16

Input from list of hosts/networks: -iL <filename>

Target ports

-F: scan 100 most popular ports

-p<port1>-<port2>: port range

-p<port1>,<port2>,...: port list

-pU:53,U:110,T20-445: mix TCP and UDP

-r: scan ports consecutively - don't randomize

--top-ports <n>: scan n most popular ports

-p-65535: leaving off initial ports make nmap scan start at port 1

-p0-: leaving off end port makes nmap scan up to port 65535

-p: leaving off start and end port makes nmap scan ports 1-65535

Probing options

-Pn: treat all hosts as online -- skip host discovery

-PB: default probe (TCP 80, 445 & ICMP)

-PS<port list>: check wheter targets are up by probing TCP ports

-PE: use ICMP echo request.

-PP: use ICMP timestamp request.

-PM: use ICMP netmask request.

Scan types

-sn: probe only (host discovery, not port scan)

-sS: SYN scan (https://nmap.org/book/synscan.html)

-sT: TCP connect scan

-sU: UDP scan

-sV: version scan

-O: OS detection

--scanflags: set custom list of TCP using URGACKPSHRSTSYNFIN in asy order.

Timing options

-T0: paranoid scan, a very slow scan (used for IDS evasion)

-T1: sneaky scan, excellent for avoiding firewalls (used for IDS evasion)

-T2: polite scan, unlikely to interfere with the target system (-10 times slower than default)

-T3: normal scan, the default NMAP timing template (based on target responsiveness)

-T4: aggressive scan, provides faster results on LANs (may overwhelm targets)

-T5: insane scan, a fast aggressive scan (will likely overwhelm targets or miss open ports)

Output formats

-oN: standard nmap output

-oG: greppable format

-oX: XML format

-oA <basename>: generate nmap, greppable, and XML output files using basename for files

Scripts

--script: specify a script to run on the target

-sC: equivalent to --script=default

Misc options

-n/-R: never do DNS resolution/Always resolve [default: sometimes]

-6: use IPv6 only

-A: use several features, includinig OS detection, version detection, script scanning (default), and traceroute.

--reason: display reason nmap thinks port is open, closed, or filtered.

--open: only show open (or possibly open) ports

-v: increase verbosity level (use -vv or more for greater effect)

Examples

nmap -sV {target ip}
nmap -sV -sC {target ip}
nmap -sV -sC -Pn {target ip}
nmap -sV --script http-enum -Pn {target ip}
nmap -p 445 --script vuln -Pn {target ip}
nmap -p 445 --script smb-vuln-* -Pn {target ip}
nmap -F -sV -sC -sU -T4 {target ip}
nmap -sV -sC -n --min-rate 1000 -T4 {target ip}
nmap -p- -sS --min-rate 5000 --open -vv -n -Pn {target ip}
# split the scan in two phases
ports=$(nmap -p- --min-rate 1000 -T4 -Pn {target ip} | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sV -sC -Pn {target ip}

Last updated